In addition an application for storing and sharing data such as computer-aided design and electrical drawings, and engineering documentation for Ares launch vehicles is being used by 7 agency data centers at 11 locations. Accordingly, effective information security controls are essential to ensuring that sensitive information is adequately protected from inadvertent or deliberate misuse, fraudulent use, improper disclosure or manipulation, and destruction, the GAO stated.

Some of the issues the GAO found included:

• One center reported the theft of a laptop containing data subject to International Traffic in Arms Regulations. Stolen data included roughly 3,000 files of unencrypted International Traffic in Arms Regulations data with information for Hypersonic Wind Tunnel testing for the X-51 scramjet project and possibly personally identifiable information. Another center reported the theft of a laptop containing thermal models, review documentation, test plans, test reports, and requirements documents pertaining to NASA’s Lunar Reconnaissance Orbiter and James Webb Space Telescope projects. The incident report does not indicate whether this lost data was unencrypted or encrypted or how the incident was resolved. Significantly, these were not isolated incidents since NASA reported 209 incidents of unauthorized access to US-CERT during fiscal years 2007 and 2008.

• NASA did not configure certain systems and networks at two centers to have complex passwords. Specifically, these systems and networks did not always require users to create long passwords. In addition, users did not need passwords to access certain network devices. Furthermore, encrypted password and network configuration files were not adequately protected, and passwords were not encrypted. As a result, increased risk exists that a malicious individual could guess or otherwise obtain user identification and passwords to gain network access to NASA systems and sensitive data.

• Although NASA has implemented cryptography, it was not always sufficient or used in transmitting sensitive information. For example, NASA centers did not always employ a robust encryption algorithm that complied with federal standards to encrypt sensitive information. The three centers we reviewed neither used encryption to protect certain network management connections, nor did they require encryption for authentication to certain internal services. Instead, the centers used unencrypted protocols to manage network devices, such as routers and switches.